Tailscale vs SSH tunnels

When I first set up the shed network, I was looking forward to having a fixed IP address so that I would at least have the option of not putting everything on AWS. Being able to self-host testing environments isn't critical, but it is a lot more convenient for a small operation like SmartShepherd. I did a post on it a while back but things got wildly out of hand after that.

How wildly out of hand? Look at my awesome server rack:

Yeah OK, start ragging on me about my selection of patch cables. The awesome Cisco 3560X switch might only be 1Gb, but it supports switchable Power Over Ethernet and cost me a grand total of $160. Beulah, the HP Proliant server underneath is the guts of the test operation. In the background is the Ubiquiti router and a UPS.

Security

About 40 seconds after setting up the Ubiquiti router on the National Broadband Network (NBN) fibre connection and opening up port 22 to be forwarded to my lab server, it started getting hammered with SSH login attempts. A quick analysis of the logs showed most of it coming from Russian or Chinese addresses. Some also from Australia and the US too, but nowhere near as much. I am not sure what exactly people are after on some tiny companies network, but there you go. A google of the issue revealed the security community is somewhat split over what to do about this problem. Using certificates instead of a login for SSH is best practice, a more contentious recommendation was to simply map some other port to your SSH server. This is what I did and the amount of weird login attempts dropped to exactly 0.

From home, I could access the servers, test database and test VMs by simply using the normal ssh client in WSL2 and mapping whatever port I needed to a local port. It worked well, but as time went on and my test setup ambitions grew, I needed more port access and SSH, while working, just didn't scale.

I want a VPN...I think

When I do client customer work, they often provide a VPN solution for access to their machines. The most popular one (Forticlient) is absolute garbage. It insists on running "security scans" at odd times of the day and makes itself extremely difficult to uninstall by disabling the uninstall button in your apps. A lot of VPN clients chop off access to your local network completely, which is really inconvenient. I don't think I've ever found one that I liked. The consumer ones (ExpressVPN, NordVPN etc) have addressed some of those issues but Forticlient is lagging well behind those. The only real solution for running Forticlient is build a dedicated Windows VM and install it in there.

When it came to my own network, one thing I wanted to completely avoid is anything as intrusive as Forticlient. I figure that is a good solution for a big corporate who need to keep their employees machines locked down, but for a small operation it's just too stupid and expensive to contemplate. After some research, I decided that I wanted a WireGuard based solution but I am wary about becoming a full time system administrator when I have other work to do. Enter Tailscale - it gets mentioned positively a lot on Hacker News and generally I find that encouraging.

Is that all there is?

I registered with Tailscale and then promptly forgot about it as other work jumped the priority of securing my network. After a couple of days they sent me a gentle reminder email, so I went ahead and downloaded the tailscale client, set it up as a subnet router and went home to test it out.

Installation of the windows client was uneventful. Once it was working, I tried running up my test environment that connects to a Maria database on Beulah and it worked beautifully. At this point, that was all I needed to do. Using Tailscale, I can RDP to the couple of Windows VMs running on my server, fiddle around with Docker, get access to Chungus the development workstation for when I have forgotton to git commit etc. It's stuff I could do over SSH and tunnels, but using a single Tailscale subnet router gives me access to all of it with a single button press on the app. I have since disabled the ports for SSH on the Ubiquiti altogether. I can work from my study exactly like working in person in the shed. I'm not 100% certain it's more secure than the SSH setup, since I have merely shifted my attack surface from the local router to Tailscale, but it's certainly more convenient.

Popular posts from this blog

Tailscale ate my network (and I love it)

Image
No matter where you go, there you are If you're like me, you travel occasionally. Access to your office from home, or from an airport lounge, or from a hotel room is paramount to being productive for most of us now. While I had a fairly simple Tailscale setup that got me into my test machines in the office, what I really wanted was to integrate my AWS production VPC into that system. It's surprisingly simple. Tailscale AWS instructions What do you want to do that for? In the "before tailscale" times, if I needed to test against the production AWS resources or connect dBeaver for database maintenance, I would edit the security group to add my IP address, do my testing, edit the security group to remove myself. This is as error prone as it sounds. I quite often forgot to remove my IP address from the allowed addresses, a major potential security risk when you are travelling. Tailscale has an extremely nifty way to get around it: if you run up a small ec2 ins
Read more

That magical word: Workstation

Image
Or how I came to own a HP 8760w 17" laptop I am reading a lot of retro-computing articles lately, I grew up in the 8 bit era and I have strong nostalgia for it. It does help to be realistic though, for all the love that things like the Amiga get, they were a dead end in terms of computing. What really ate the world was the boring old IBM-PC: flickery, interlaced multi-sync monitors, beige boxes and productivity software. There was another, relatively brief path the industry could have gone down though. The Workstation was king In retrospect, it might be a bit tough to put a circle around what constituted a workstation . Is a PERQ a workstation? Probably. Xerox Alto and Star? Definitely. Symbolics Lisp machines? Not sure. Probably? The real success stories came out of Apollo , Sun, HP,IBM,NeXT,DEC and Silicon Graphics. For a time it was a hot market, especially in what was known then as technical computing: research, manufacturing, CAD, graphics, simulations. If
Read more

Time machine: Solaris 2.6 on QEMU

Image
You can never go home A big chunk of my professional career in the 1990s was spent with a Sparcstation on my desk. Before that the 68000 Sun2 and Sun3 floated past my sticky fingers but the Sparc machines quickly superseded those. I don't remember too much about which ones: pretty sure there was at least one IPX, one Sparcstation 5, a Sparcstation 10 and then the last one was most likely an Ultra 1 or maybe even an Ultra 5. It was a long time ago. Every now and again I think about how productive those machines were and do a little Ebay digging on how much one would be worth to have around. Except I don't have the room for more machines and the idea of trying to revive 25 year old hardware from that era is well beyond my electronic capabilities. Never fear, QEMU is here. Following these excellent instructions from Adafruit , you too can install Solaris 2.6 and have your very own emulated machine. Note that there is one instruction in there I am not sure you need. A
Read more